Audit of NARA's Management Control over Microsoft Access Applications and Databases

View Report

Date Issued

Friday, November 18, 2016

Submitting OIG

National Archives and Records Administration OIG

Other Participating OIGs

National Archives and Records Administration OIG

Agencies Reviewed/Investigated

National Archives and Records Administration

Report Number

17-AUD-04

Report Description

This audit was conducted to identify MS Access applications and databases in use across NARA, assess the security controls for those applications and databases, and determine whether NARA is appropriately positioned to accommodate and maintain the applications and databases and security controls after the planned MS Access upgrade to a newer version.

Report Type

Audit

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
3	Yes	$0	$0
We recommend the Chief Information Officer, in conjunction with each program office, develop and implement a comprehensive, systematic process to determine when a MS Access application or database should be recognized as an IT system.
4	Yes	$0	$0
We recommend the Chief Information Officer, in conjunction with each program office: Determine all MS Access databases containing PII and ensure they are: (a) encrypted in storage and transmission; and (b) password-protected in accordance with NARA Directive 1608 and the Privacy Act.
5	Yes	$0	$0
Develop and implement a process, for future MS Access applications and databases created by program offices, including notification to and approval from the Office of Information Services for those that are mission-critical and/or contain PII or otherwise sensitive information.